Error using ssl cert with PHP

Question

I am new to php and I am getting this error trying to load a cert

jameys-macbookpro41:~ user$ php -f ~/Sites/providerService.php

Warning: s

Answer 1

Notes for the future (after having a big headache because of all of this): 1. if you get the handshake error - the pem file you created is probably wrong.

a. make sure the file is in the same directory as the php you are trying to run. b. export the certifcate p12 file AND the key under it in the keychain access utility.both of these files will be the SAME size, but they ARE different. c. do the above "openssl" commands in the macintosh terminal.

2. currently, all I can do is run the php as sudo, because of the chmod 400 for ck.pem. something got to give...

btw, the message "Failed to enable crypto" will dissappear when the system runs correctly.

Answer 2

You are getting an error because it's trying to find your cert.pem file in the directory you are running the script from, not the directory the script is in. In your example, it is your user directory "~".

Try changing your class to this, or something similar:

class pushNotifications {
...
     private $sslPem = 'cert.pem';
...
     function connectToAPNS(){
          $streamContext = stream_context_create();
          stream_context_set_option($streamContext, 'ssl', 'local_cert', dirname(__FILE__) . '/' . $this->sslPem);

Answer 3

Just change the owner to www-data It will work :)

sudo chown www-data.www-data ck.pem

deafult user of apache www-data

Answer 4

As a complementary tip, for anyone having the same issue: when exporting the private key from Apple's keychain access, and converting to .pem, SPECIFY A PASSWORD.

For some reason, it seems leaving a blank password in one of the exports removes the private key, thus the final .pem is not complete.

So put a dummy password, even if you later remove it using openssl.

Answer 5

I was having this issue as well, it turns out that for some reason my private key didn't match the one associated with the aps_developer_identity.cer I had...

I ended up clearing all of my public and private keys from my 'login' keychain item, then I started the entire process over again (Generated the request)...I submitted the new request file on the program portal and generated a new certificate, downloaded, and installed it by double-clicking it (developer_identity.cer). Then, I reset the provisioning profiles to use the new Push SSL certs, downloaded those, and installed them by double-clicking (aps_developer_identity.cer). Finally, I reset the provisioning profile and downloaded the new one. I cleared out the old one in the Xcode Organizer, and installed the new one. Finally, I exported my 'private' key as key.p12 and my aps_developer_identity.cer as apsdi.p12, and ran the following commands against them:

openssl pkcs12 -clcerts -nokeys -out apsdi.pem -in apsdi.p12
openssl pkcs12 -nocerts -out key.pem -in key.p12

If you're okay using a passphrase (recommended for production):

cat apsdi.pem key.pem > cert.pem

If you wish to use a 'blank' passphrase, you'll need to unencrypt your private key first, using the password you specified when you converted it to pem format:

openssl rsa -in key.pem -out key.unencrypted.pem

And then cat the cert and unencrypted key into apns.pem (or whatever filename you have chosen):

cat apsdi.pem key.unencrypted.pem > apns.pem

It's very important that you export your aps_developer_identity certificate, not your developer_identity certificate as apsdi.pem.

If you can expand your developer_identity.cer and aps_developer_identity.cer entries in Keychain Access, and you see a 'private' key when you do, everything should work.